Third in a series. New variants and new methods proliferate in the wake of 76service.

The hackers known as 76 and Exoric weren’t just the
managers of 76service; they were also clients. Through his
undercover work, SecureWorks researcher Don Jackson found that
Exoric himself owned a project – a portfolio of
trojan-infected machines – just like the ones the team
sold. Only, since access was free to him, his was a much bigger
project, with hundreds of bots focused exclusively on
Gozi-infected machines in Mexico and Chile (.mx and .cl
domains), and no 30-day expiration. For a while, Exoric also
used his own storefront for the Latin and South American
markets, called GucciService.

But by May the business was strained by the constant pursuit
of researchers writing signatures to detect Gozi and law
enforcement working with them to find and take down the
76service servers.

Early in the month, Jackson was able to say “Gozi
isn’t working. No one is going to the site.” At
this time, his personal site was also the victim of what he
termed a poor DDoS attack that lasted 36 hours. Soon after
that, when he visited 76service.com, he found it abandoned,
with a simple message: “I choose shadow. Please, never
come back again.”

It seemed that, finally, it was over. But it wasn’t,
of course. In fact even before Jackson found 76service.com
abandoned, a new Gozi variant was already at work, and it would
be learned that it had been infecting machines since at least
April 14. This latest Gozi bot was better than ever. It had
added keystroke logging as an alternative to form grabbing. And
recognizing that researchers were their primary adversaries,
the new version added features to stymie detection and reverse
engineering. “Every copy of Gozi has a unique infection
ID,” explains Jackson. “So when data comes into the
server it can check against the ID to make sure it’s a
valid infection. This new version also checked to see what your
bot had sent before. Basically it could shut you off if you
kept logging in without delivering good data, which is what
researchers do.” The new version also logged the
bot’s IP address so that it could be blocked from
communicating with the server.

But there were problems. A programming glitch caused the
service to create huge files of redundant information,
interrupting service to customers while the duo tried to fix
it. “That’s why QA testing is so important,”
deadpans Jackson. They had only nabbed about 500MB of data off
of 200 infected PCs when their new ISP, which Jackson says was
based in Panama, took them offline again.

It was a poor reemergence. Lurking on a discussion board
with a colleague who could translate Russian, Jackson found a
post by someone named 57, a hacker thought to be part of the
HangUp Team. 57 wrote that 76 broke off work with Exoric
because the two were spending more time on the lam than they
did running the service.

The FBI had wound down on the case, according to Jackson
(though in an official statement given to CSO from the press
office, the FBI says it welcomes any leads on information
related to Gozi and 76service, which it termed
“unique”). While they continued to monitor some
accounts they knew were connected to 76service, Jackson
didn’t think it would progress beyond that. 76service was
officially defunct. By early June, 76 and Exoric had dissolved
their partnership.

But 57 also seemed to indicate that 76 was back with HangUp
Team and busy rewriting the Gozi form grabber. The new
architecture would allow 76 to hide the drop servers from
prying eyes, making it harder to interrupt or shut services
down.

Jackson predicted at the time that a new 76service would
follow in kind. After all, 76service didn’t fail because
of the service model. It failed because of a lack of manpower
to secure and manage the service. It couldn’t scale.
“I think they cobbled together Gozi and 76service to see
what it could do,” says Jackson. “They realize what
they need to do next. They spotted weaknesses. Torpig was the
next step; it was better. Now what’s next?” With
the help of the HangUp Team, a 76service-like site capable of
enduring its own success, will return using some descendant of
Gozi or Torpig.